Upcoming Pidgin security disclosures
mark at kingant.net
Sat Aug 20 14:12:49 EDT 2011
On Fri, Aug 19, 2011 at 5:38 AM, Tomas Hoger <thoger at redhat.com> wrote:
> On Thu, 18 Aug 2011 02:14:18 -0700 Mark Doliner wrote:
>> 2. Remote crash in MSN protocol plugin (yes, another one). You
>> haven't heard about this one yet. Caused by incorrect handling of
>> HTTP 100 Continue responses from MSN servers when using the HTTP
>> connection method. The HTTP connection method is not a default
>> setting--it must have been enabled by the user for them to be
>> susceptible to this attack. We believe it is not possible to execute
>> code. It is possible for the server to trigger a crash.
> Is this a buffer over-read as the patch suggests?
I believe so, yes.
> Looks like the
> server needs to provide enough headers for the over-read size to be of
> its choosing.
Right. Well, I think it's not the number of headers so much as the
combined length of all the remaining headers.
>> We do not know whether it is possible for a remote user to trigger a
>> crash, but it seems unlikely to us. This bug isn't too bad, so my
>> preference is to NOT get a CVE# for it. But if people think a CVE#
>> is a good idea then let's do it.
> I'd say this should really depend on whether crashes by malicious
> servers (or MITM attackers manipulating traffic to/from a server) are
> considered security for pidgin, or rather viewed as undesired nuisance
> which is still fairly unimportant compared to the actual use of
> malicious server / MITMed server connection. I agree this sounds more
> like a bug.
I generally wouldn't consider crashes caused by MITM attackers or
malicious servers to be CVE-worthy. Definitely something that should
be fixed. But not something that is likely to lead to remote crashes
or exploits on a grand scale.
More information about the Packagers